How do I troubleshoot errors with SSL certificates that are generated by API Gateway?

Last updated: 2022-12-15

I'm experiencing issues with self-signed and expired SSL certificates installed on my backend system. How to I fix these errors?

Short description

When Amazon API Gateway performs an SSL handshake with the backend, API Gateway expects the backend to provide certificates that are obtained from trusted issuers. API Gateway expects the certificates to be valid, and not expired. API Gateway also expects the chain of trust to be intact. This means that API Gateway expects the certificate to contain a root certificate authority (CA), intermediate CAs, and the parent certificate details. With this information, API Gateway can complete certificate validation by going through the chain of certificates.

Resolution

Test HTTP proxy integration

To familiarize yourself with HTTP proxy integrations, test bad SSL certificates from the API Gateway console. Use the external website badssl.com that provides bad SSL certificates for testing.

1.    Create a resource named "/selfsigned" with a GET method. Then, configure an HTTP proxy integration with the URL https://self-signed.badssl.com/.

From the API Gateway console, test the API. You receive the following error:

Thu Dec 15 16:05:05 UTC 2022 : Sending request to https://self-signed.badssl.com/
Thu Dec 15 16:05:05 UTC 2022 : Execution failed due to configuration error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2.    Create a resource named "/expiredcert" with a GET method. Then, configure an HTTP proxy integration with the URL https://expired.badssl.com/.

From the API Gateway console, test the API. You receive the following error:

Thu Dec 15 16:06:02 UTC 2022 : Sending request to https://expired.badssl.com/
Thu Dec 15 16:06:02 UTC 2022 : Execution failed due to configuration error: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

3.    Create a resource named "/untrustedRootCA" with a GET method. Configure an HTTP proxy integration with the URL https://untrusted-root.badssl.com/.

From the API Gateway console, test the API. You receive the following error:

Thu Dec 15 16:06:28 UTC 2022 : Sending request to https://untrusted-root.badssl.com/
Thu Dec 15 16:06:28 UTC 2022 : Execution failed due to configuration error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

With VPC link integration, API Gateway performs certificate validation with the next hop that performs TLS termination.

When a Network Load Balancer has a TLS listener, the Network Load Balancer performs a TLS termination and creates another connection to the target. The certificate attached to the Network Load Balancer must meet all the requirements. A Network Load Balancer doesn't perform certificate validation during the SSL handshake with the target. The Network Load Balancer accepts expired or self-signed certificates that are installed on the target instances. The Network Load Balancer and the target groups are bound within a VPC and communications are secure. If the Network Load Balancer is using a TCP listener, the TLS handshake happens end-to-end. In these cases, the backend application must comply with the SSL requirements.

API Gateway supports Server Name Indication (SNI) during an SSL handshake over a VPC link integration.

If the backend Network Load Balancer has a self-signed or private certificate that hasn't been issued by a CA, you receive the following error:

Execution failed due to configuration error: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The workaround for the execution failed error is to set insecureSkipVerification to true in the integration's tlsConfig object:

aws api gateway update-integration --rest-api-id abcde --resource-id abcd --http-method GET --patch-operations "op='replace',path='/tlsConfig/insecureSkipVerification',value= False"